1、 名称空间
NameSpace:
名称空间,用来对集群资源进行隔离划分。默认只隔离资源,不隔离网络
namespace
- prod
- 应用A 配置A
- 应用B 配置B
默认命名空间:
- default
- kube-node-lease
- kube-public
- kube-system
- kubernetes-dashboard
查询get ns
kubectl get ns #namespace
NAME STATUS AGE
default Active 8h
kube-node-lease Active 8h
kube-public Active 8h
kube-system Active 8h #所有的calico和coredns 和 etcd。。。
kubernetes-dashboard Active 49m #dashboard相关的
每个部署的pod,都有所在的名称空间。
增删 create ns
kubectl create ns hello
kubectl delete ns hello
apiVersion: v1
kind: Namespace
metadata:
name: hello
kubectl apply -f nscreate.yaml
kubectl delete -f nscreate.yaml
-f, --filename=[]: containing the resource to delete.
2、Pod
运行中的一组容器,Pod是kubernetes中应用的最小单位.
- docker 里的容器(1个或多个),又封装了一层。相当于宿舍。
- 宿舍之间 相互隔离。
- 单个容器太少,可能是多个容器 一起做一件事,封成一个pod
- 第一个容器负责下载,
- 第二个容器负责展示。
- 这两个容器,公用了 一个 volume
CRI: Container Runtime Interface
- 就是 docker
kubectl get pod -A #READY 1/1,就是 一个pod里面有 一个容器。并且在工作。
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-kube-controllers-558995777d-grpms 1/1
查看
注意:pods 和 pod 作用一样
kubectl get pods #获取的是默认名称空间的pos。== -n default
No resources found in default namespace.
# 每个Pod - k8s都会分配一个ip
kubectl get pod -owide -A #查看详细。
docker ps | grep mynginx #查看到所属的node,去这个node 用docker 能看到。
kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-kube-controllers-558995777d-grpms 1/1 Running 1 152m
kubectl get pods -n kubernetes-dashboard
运行 描述 删除 日志 进入
kubectl run mynginx --image=nginx
# 描述
kubectl describe pod 你自己的Pod名字
# 删除
kubectl delete pod Pod名字 #如果需要加名称空间 -n 名称空间
kubectl delete pod myapp abc -n default #删除多个
# 查看Pod的运行日志
kubectl logs Pod名字
# 使用Pod的ip+pod里面运行容器的端口
# 集群中的任意一个机器以及任意的应用都能通过Pod分配的ip来访问这个Pod
curl 192.168.169.136
# 进入
kubectl exec -it mynginx -- /bin/bash
kubect describe pod mynignx
kubectl describe -n kube-system pod calico-kube-controllers-558995777d-grpms #-n 某个名称空间下
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 4m52s default-scheduler Successfully assigned default/mynginx to node1
Normal Pulling <invalid> kubelet Pulling image "nginx"
Normal Pulled <invalid> kubelet Successfully pulled image "nginx" in 17.360379565s
Normal Created <invalid> kubelet Created container mynginx
Normal Started <invalid> kubelet Started container mynginx
describe
英
/dɪˈskraɪb/
v.
描述,形容;做……运动,形成……形状
nginx pod查看
# 进入目录
/usr/share/nginx/html# cat index.html
echo "1111" > index.html
whereis nginx
nginx: /usr/sbin/nginx /usr/lib/nginx /etc/nginx /usr/share/nginx
cat /etc/nginx/nginx.conf
http {
include /etc/nginx/conf.d/*.conf;
}
cat /etc/nginx/conf.d/default.conf
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
使用 yaml 创建
apiVersion: v1
kind: Pod
metadata:
labels:
run: mynginx
name: mynginx
namespace: default
spec:
containers:
- image: nginx
name: mynginx #容器明,在 升级等 都有作用。
apiVersion: v1
kind: Pod
metadata:
labels:
run: myapp
name: myapp
spec:
containers:
- image: nginx
name: nginx
- image: tomcat:8.5.68
name: tomcat
阻塞看状态 和 多容器访问
kubectl get pod #挤了两个容器
NAME READY STATUS RESTARTS AGE
myapp 0/2 ContainerCreating 0 50s
watch -n 1 kubectl get pod #每1秒 看一次
kubectl get pod -w #k8s提供的
# 一个pod部署两个镜像
# 80 就是访问的nginx,8080 就是访问的 Tomcat
curl 192.168.104.2:80
# Nginx 访问 Tomcat 只需要 127.0.0.1 即可。
#共享网络空间,共享存储。相当于是同一个宿舍。一台计算机。
# 进入了 Tomcat 后。
root@myapp:/usr/local/tomcat#在
# 访问 nginx
curl 127.0.0.1:80
-
metadata(元数据):用来标识API对象,包含namespace、name、uid等
-
使用 页面创建, 右上角 + 号,选择 从表单创建,创建的是 Deployment
看启动日志 logs -f --tail
kubectl logs -f --tail 10 mynginx #看10行
docker logs -f -t --tail 10 c3630e5cb206
-t, --timestamps Show timestamps #k8s 不支持。
# Follow log output 跟踪,阻塞式追踪
-f, --follow=false: Specify if the logs should be streamed.
初始化时 pod-network-cidr
kubeadm init \
--pod-network-cidr=192.168.0.0/16
# 就是 pod的 IP 作用域,和 calico.yaml 不一致,以 calico 配置为准。
cat calico.yaml | grep 172
value: "172.15.0.0/16"
# 如果 calico 和 kubeadm 配置的不一致,注释 calico 的IP,重装后。IP就变成 正确的了。
3、 Deployments
控制Pod,使Pod拥有多副本,自愈,扩缩容等能力
增删 deployment
# 清除所有Pod,比较下面两个命令有何不同效果?
kubectl run mynginx --image=nginx #单独创建一个pod
kubectl create deployment mytomcat --image=tomcat:8.5.68
#区别:部署有, 自愈能力,宕机,删除了pod,会再次启动一个。
#删除 这次部署
kubectl delete -n default deployment mytomcat
kubectl delete deploy mytomcat #简写
多副本 创建
kubectl create deployment my-dep --image=nginx --replicas=3
replica
n.
复制品,仿制品
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: my-dep
name: my-dep
spec:
replicas: 3
selector:
matchLabels:
app: my-dep
template:
metadata:
labels:
app: my-dep
spec:
containers:
- image: nginx
name: nginx
扩缩容 scale --replicas=
kubectl get deploy
kubectl scale --replicas=5 deployment/my-dep # --replias=5 放最后也行
kubectl edit deployment my-dep
#修改 replicas
scale
英
/skeɪl/
n.
天平,磅秤;天平盘;天秤(星)座(the Scales);等级,级别;刻度,标度;标尺
v.
改变(文字、图片)的尺寸大小;刮去(鱼鳞);攀登,翻越;剔除(牙垢)
自愈&故障转移
-
自愈 就是 服务故障了,尝试重启服务。
-
机器故障,下线了,机器内服务,在其他地方 拉起一份。
- 相当于这个 机器人里的Pod 转移到 其他机器了。
-
停机
-
删除Pod
-
容器崩溃
自愈
kubectl get pod -owide #去 所在节点,使用docker stop 停止容器。
docker ps | grep my-deploy-01-6f9c5575cc-v9dhf
docker stop 141f6a1aef96
#停止后,容器的状态变为:Completed,之后会自动 重启。
此时:容器的 restarts 变成1,代表重启了一次
故障转移
- 直 接把 node1 服务器给关了。
- 会有一个 阈值,如 5分钟(可调整) 内都找不到 node1服务器了。
- 就会 把 node1 上的服务,转移到 node2 (重新新的pod)
- node1上的 pod状态变为:Terminating
Terminating
n.
[电]终接
v.
结束;使终结;解雇(terminate 的现在分词)
terminate
英
/ˈtɜːmɪneɪt/
v.
(使)结束,(使)终止;到达终点站;终止妊娠,人工流产;<美>解雇;<美>谋杀(某人);在……结尾,以……收尾
adj.
结束的
滚动更新 set image deploy
不停机维护。
先启动一个 新版本的pod,正常运行了,才替换老版本的。
- 杀死一个老版本,启动一个新版本。一但新版本出现问题,后面的 就不更新了。
- A pod新版本出问题了。B pod 旧版本,还在的,还是能处理请求的。
kubectl describe deploy my-dep #这是看描述的,里面有Events:
kubectl get deploy my-dep -oyaml
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: my-deploy-01 #这里看到的名字是什么,就写什么。比如这里应该写:my-deploy-01=nginx:1.xx。如看到的是 nginx
kubectl set image deployment/my-dep nginx=nginx:1.16.1 --record #记录这次版本更新
# 查看是否滚动更新成功,成功之间会进入阻塞
kubectl rollout status deployment/my-dep
Waiting for deployment "my-dep" rollout to finish: 1 out of 2 new replicas have been updated...
deployment "my-dep" successfully rolled out
# 修改 kubectl edit deployment/my-dep 的image版本。这种不好,不会记录。直接修改的,又没加 --record
容器名字默认值
一般使用 yaml创建的时候,都会指定容器名。如果不知指定,使用容器名 或 deployment 名字。
- 用命令创建deploy使用 容器名
- 用 页面deploy 使用 deploy 的名字
spec:
containers:
- image: nginx
name: nginx
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: my-test-dep-02
record
n.
记录,记载;(某人或某物过去的)记录,经历;(尤指体育运动中的)最佳纪录,最好成绩;
v.
记录,记载;录制;(仪器)显示,标示;(尤指体育上)获得(好成绩);
adj.
创纪录的
roll
v.
(使)翻滚,滚动;(使)翻身,翻转;(使)滚动,开动;(机器)转动,运转;(液体)滚落,滑落;使……成球状(或管状);使平坦,压平;
n.
卷,卷轴;卷状食品,卷饼;(通常指颈部或腰部的)赘皮,赘肉;
rolled out
铺开;滚减
版本回退
#历史记录
kubectl rollout history deployment/my-dep #可缩写 deploy
#查看某个历史详情
kubectl rollout history deployment/my-dep --revision=2
# 如果你有版本升级和回退 操作是重复的,只会当做一个版本。
4 kubectl set image deployment/my-deploy-01 my-deploy-01=nginx:1.16.1 --record=true #比如我又回到了这个。历史记录还是2个,这个变为最新。
5 kubectl set image deployment/my-deploy-01 my-deploy-01=nginx --record=true
#回滚(回到上次)
kubectl rollout undo deployment/my-dep
#回滚(回到指定版本)
kubectl rollout undo deployment/my-dep --to-revision=2
kubectl get deploy/my-dep -oyaml | grep image #找一下镜像,看有退回吗
rollout
英
/ˈrəʊlaʊt/
n.
首次展示;[航] 滑跑(飞机着陆时在跑道上滑跑减速的阶段)
首次展示 卷展栏 推广试运行
其他工作负载
更多:
除了Deployment,k8s还有 StatefulSet
、DaemonSet
、Job
等 类型资源。我们都称为 工作负载
。
有状态应用使用 StatefulSet
部署,无状态应用使用 Deployment
部署
https://kubernetes.io/zh/docs/concepts/workloads/controllers/
Deployment:无状态应用部署,比如微服务,提供多副本等功能
StatefulSet:有状态应用部署,比如redis,提供稳定的存储、网络等功能
- pod死了,重新拉起来,之前的数据 还在。
- 数据被挂载到了 其他地方。
- mysql
- 提供一个固定的访问地址
DaemonSet:守护型应用部署,比如日志收集组件,在每个机器都运行一份
Job/CronJob:定时任务部署,比如垃圾清理组件,可以在指定时间运行
daemon
英
/ˈdiːmən
n.
魔鬼,恶魔(同 demon);守护进程;后台程序;虚拟光驱软件
工作负载
-
Cron Jobs 定时任务
-
Daemon Sets 守护
-
Deployments 部署
-
Jobs
-
Pods
-
Replica Sets
- 副本列表
-
Replication Controllers
- 副本控制器
- ReplicationController简称RC。 实际工作中,很少单独操作Pod的,之所以k8s能够“自愈”,就是通过rc(ReplicationController)、rs(ReplicaSet)、Deployment等这些组件
- ReplicationController 的工作就是确保 pod 的数量始终和其标签选择器匹配,如果不匹配则需要适当的“调度”来满足
-
Stateful Sets 有状态应用部署
4、Serive
Service: Pod的服务发现与负载均衡
- 一组服务 称为 一个 Service
将一组 Pods 公开为网络服务的抽象方法。
暴露和删除svc
#暴露Deploy
#deploy/my-de 缩写也行
# 相当于后面默认加了 --type=ClsterIP 集群IP
kubectl expose deployment my-dep --port=8000 --target-port=80
kubectl delete service my-dep #删除 缩写svc
kubectl get service #查看到service IP
kubectl get svc #缩写
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 22h
my-dep ClusterIP 10.96.244.228 <none> 8000/TCP 2m19s
curl 10.96.244.228:8000 #集群内,使用端口访问,即可发现是负载均衡的
其他容器内 不可域名访问bug
- 记得提前,准备两个pod
/usr/share/nginx/html# echo 111 > index.html
/usr/share/nginx/html# echo 222 > index.html
kubectl create deployment my-tomat --image=tomcat
#进入这个 pod,使用ip+端口,可以访问。
curl 10.96.244.228:8000
#服务名.所在名称空间.svc
#my-dep.default.svc:8000
# 应该也可以访问,但是我的不行,可能是 我的calico 装的不够好。
# 也可能是这个功能,已经被删除了。
curl my-dep.default.svc:8000
curl: (6) Could not resolve host: my-dep.dafault.svc
查看标签
# 查看标签,有几个pod显示几个。
kubectl get pod --show-labels
NAME READY STATUS RESTARTS AGE LABELS
my-dep-6b48cbf4f9-29sp4 1/1 Running 0 135m app=my-dep,pod-template-hash=6b48cbf4f9
#使用标签检索Pod
kubectl get pod -l app=my-dep
-l, --selector='': Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l
key1=value1,key2=value2)
yaml暴露
apiVersion: v1
kind: Service
metadata:
labels:
app: my-dep
name: my-dep
spec:
ports:
- port: 8000
protocol: TCP
targetPort: 80
selector:
app: my-dep
type: ClusterIP
svc有三种类型
k8s中svc有三种类型,分别为ClusterIP、NodePort、LoadBalancer 作用 能够解耦前端和后端的关联
kubectl expose deploy my-dep --port=8000 --target-port=80 --type=NodePort #集群外部 也可以访问。节点端口
#每个节点口开一个端口,可以使用节点的公网IP+端口访问。
# 默认的 --type=ClsterIP,集群内部的访问
kubectl get svc #多个一个端口,每一台机器人都会开这个端口。如:30231
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
my-dep NodePort 10.96.150.241 <none> 8000:30231/TCP 6m41s
http://172.31.0.10:30231/ # 访问任一一个 节点,都是负载均衡的。
端口范围
NodePort范围在 30000-32767 之间
5、 Ingress
ingress
英
/ˈɪnɡres/
n.
进入;入口;准许进入;入境
lngress: Service的统一网关入口
Ingress
- Service
- Pod 是 k8s的最小单位
- 具体的 单个容器
- Pod 是 k8s的最小单位
svc和pod 网络地址
kubeadm init \
--service-cidr=10.96.0.0/16 \
--pod-network-cidr=192.168.0.0/16
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 24h
my-dep NodePort 10.96.99.177 <none> 8081:31095/TCP 21m
get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
my-dep-6b48cbf4f9-8ld9k 1/1 Running 0 19m 192.168.166.143 node1 <none> <none>
- 上面列举了 pod层网络 和 service 层网络(订单 用户 商品 svc)
- 在 svc 之前 加一层 Ingress,入访问: http://xx.jd.com 访问到Ingress
- 订单:order.jd.com,交给 订单svc
- 用户:user.jd.com
- 访问:jd.com/product 都交给 商品svc
- 底层就是 Nginx 做反向代理的。
三层网络:
- pod层
- service层
- Ingress层
安装
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml
#修改镜像
vi deploy.yaml
#将image的值改为如下值:
registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/ingress-nginx-controller:v0.46.0
# 检查安装的结果
kubectl get pod,svc -n ingress-nginx
# 最后别忘记把svc暴露的端口要放行
kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.96.164.224 <none> 80:31404/TCP,443:30114/TCP 6m59s
ingress-nginx-controller-admission ClusterIP 10.96.67.13 <none> 443/TCP 6m59s
- 访问 服务器的80 就是http,443就是https
- 如下对外暴露的为:
- 80:31404/TCP,443:30114/TC
- 所有的 节点服务器,都会对外暴露 31404和30114 这两个接口。
Ingress yaml
- 老师已经把镜像 替换为 自己仓库的了
registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/ingress-nginx-controller:v0.46.0
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ''
resources:
- nodes
verbs:
- get
- apiGroups:
- ''
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io # k8s 1.14+
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- apiGroups:
- ''
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io # k8s 1.14+
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io # k8s 1.14+
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- ingress-controller-leader-nginx
verbs:
- get
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- create
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
revisionHistoryLimit: 10
minReadySeconds: 0
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
spec:
dnsPolicy: ClusterFirst
containers:
- name: controller
image: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/ingress-nginx-controller:v0.46.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- --election-id=ingress-controller-leader
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 101
allowPrivilegeEscalation: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: webhook
containerPort: 8443
protocol: TCP
volumeMounts:
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
resources:
requests:
cpu: 100m
memory: 90Mi
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
name: ingress-nginx-admission
webhooks:
- name: validate.nginx.ingress.kubernetes.io
matchPolicy: Equivalent
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
namespace: ingress-nginx
name: ingress-nginx-controller-admission
path: /networking/v1beta1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-create
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
spec:
template:
metadata:
name: ingress-nginx-admission-create
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: create
image: docker.io/jettech/kube-webhook-certgen:v1.5.1
imagePullPolicy: IfNotPresent
args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-patch
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
namespace: ingress-nginx
spec:
template:
metadata:
name: ingress-nginx-admission-patch
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: patch
image: docker.io/jettech/kube-webhook-certgen:v1.5.1
imagePullPolicy: IfNotPresent
args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
securityContext:
runAsNonRoot: true
runAsUser: 2000
使用
官网地址:https://kubernetes.github.io/ingress-nginx/
就是nginx做的
kubectl edit ing ingress-limit-rate.yaml
测试用例yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-server
spec:
replicas: 2
selector:
matchLabels:
app: hello-server
template:
metadata:
labels:
app: hello-server
spec:
containers:
- name: hello-server
image: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/hello-server
ports:
- containerPort: 9000
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-demo
name: nginx-demo
spec:
replicas: 2
selector:
matchLabels:
app: nginx-demo
template:
metadata:
labels:
app: nginx-demo
spec:
containers:
- image: nginx
name: nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-demo
name: nginx-demo
spec:
selector:
app: nginx-demo
ports:
- port: 8000
protocol: TCP
targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
labels:
app: hello-server
name: hello-server
spec:
selector:
app: hello-server
ports:
- port: 8000
protocol: TCP
targetPort: 9000
- 80:31404/TCP,443:30114/TCP
hello.atguigu.com:31404把请求转给hello-server进行处理demo.atguigu.com:31404把请求转给nginx-demo进行处理
域名访问规则和配置host
配置本机:host
主节点ip hello.atguigu.com
主节点ip demo.atguigu.com
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-bar
spec:
ingressClassName: nginx
rules:
- host: "hello.atguigu.com" # hello.atguigu.com/xxx 都拦截。
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: hello-server
port:
number: 8000
- host: "demo.atguigu.com"
http:
paths:
- pathType: Prefix
path: "/" # 把请求会转给下面的服务,下面的服务一定要能处理这个路径,不能处理就是404。
backend:
service:
name: nginx-demo # java,比如使用路径重写,去掉前缀nginx
port:
number: 8000
- 不成功,就删除验证在试试
kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
#出现提示
validatingwebhookconfiguration.admissionregistration.k8s.io "ingress-nginx-admission" deleted
访问测试 和 更改拦截规则
http://demo.atguigu.com:31404/ 返回Nginx 首页
- 改为:/nginx ,访问:http://demo.atguigu.com:31404/nginx
- 这样就算 转发给 demo项目,
http://hello.atguigu.com:31404/ 返回hello word
kubectl get ingress #查看集群中有多少规则
kubectl get ing
kubectl edit ing ingress-host-bar #跟上名字。
- host: "demo.atguigu.com"
http:
paths:
- pathType: Prefix
path: "/nginx" #改为这样
#进入对应的nginx容器
#进入 cd /usr/share/nginx/html/
echo 1111 > nginx
#多次访问:http://demo.atguigu.com:31404/nginx,即可下载这个文件。
路径重写
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rewrite
https://kubernetes.github.io/ingress-nginx/examples/rewrite/
$ echo '
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: rewrite
namespace: default
spec:
ingressClassName: nginx
rules:
- host: rewrite.bar.com
http:
paths:
- path: /something(/|$)(.*)
pathType: Prefix
backend:
service:
name: http-svc
port:
number: 80
' | kubectl create -f -
For example, the ingress definition above will result in the following rewrites:
rewrite.bar.com/something
rewrites torewrite.bar.com/
rewrite.bar.com/something/
rewrites torewrite.bar.com/
rewrite.bar.com/something/new
rewrites torewrite.bar.com/new
正则中:内部反向引用\\分组号,外部反向引用$分组号
实战yaml
- 先删除,然后再 apply -f 即可。
- 会自动把 http://demo.atguigu.com:31404/nginx,去掉/nginx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: ingress-host-bar
spec:
ingressClassName: nginx
rules:
- host: "hello.atguigu.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: hello-server
port:
number: 8000
- host: "demo.atguigu.com"
http:
paths:
- pathType: Prefix
path: "/nginx(/|$)(.*)" # 把请求会转给下面的服务,下面的服务一定要能处理这个路径,不能处理就是404
backend:
service:
name: nginx-demo ## java,比如使用路径重写,去掉前缀nginx
port:
number: 8000
限流
- 所有的高级功能,都在 注解处。
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting
- 先更改host文件:172.31.0.10 haha.atguigu.com
- 访问:http://haha.atguigu.com:31404/,即可跳转到 nginx欢迎界面
- 如果刷新过快 返回服务不可用:503 Service Temporarily Unavailable
- 状态码改为非503 https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-limit-rate
annotations:
nginx.ingress.kubernetes.io/limit-rps: "1"
spec:
ingressClassName: nginx
rules:
- host: "haha.atguigu.com"
http:
paths:
- pathType: Exact # 精确的
path: "/"
backend:
service:
name: nginx-demo
port:
number: 8000
exact
英
/ɪɡˈzækt
adj.
确切的,精确的;严谨的,一丝不苟的;精密的,严密的
v.
强取,勒索;实施(报复);造成重大苦难(或损失等)